Context
On 7 August 2024, Symantec researchers published the technical details of multiple cyberespionage campaigns leveraging legitimate cloud services to deliver new malware to multiple organizations, several government or military and one media firm. One such new malware, the backdoor designated GoGra, has been observed delivering to a media organization located in South Asia.
Technical Details
According to Symantec researchers:
“GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services. […] GoGra is configured to read messages from an Outlook username “FNU LNU” whose subject line starts with the word “Input”. It decrypts the message contents using the AES-256 algorithm in Cipher Block Chaining (CBC) mode, using the following key: b14ca5898a4e4133bbce2ea2315a1916.
Gogra executes commands via the cmd[.]exe input stream and supports an additional command named “cd” which changes the active directory. After the execution of a command, it encrypts the output and sends it to the same user with the subject “Output”.
Analysis of the backdoor revealed that it is highly likely it was developed by Harvester, a nation-state-backed group uncovered by Symantec in 2021 that specializes in targeting organizations in South Asia.”
Community Impact
Many RH-ISAC Core Members operate in the media space and have operations located in the South Asia region, and new malware tools from known sophisticated actors are known to spread across targeted industries and regions. As such, Members are advised to maintain situational awareness around emerging cyber threats., and to review the mitigations, indicators, and tactics shared by Symantec, all included here.
Mitigations
Symantec researchers provided the following best practices to counter the tactics, techniques, and procedures (TTPs) leveraged in the campaign:
Block cloud services not used by your organization
Profile network traffic and monitor for network anomalies
Use application whitelisting where applicable
Block non-browser processes connecting to cloud services
Identify critical assets in your organization and monitor them for exfiltration of data
Activate host based and cloud audit logs
IOCs
Symantec researchers provided the following indicators of compromise (IOCs):
d728cdcf62b497362a1ba9dbaac5e442cebe86145734410212d323a6c2959f0f – Trojan.Gogra
f1ccd604fcdc0034d94e575b3709cd124e13389bbee55c59cbbf7d4f3476e214 – Trojan.Gogra
9f61ed14660d8f85d606605d1c4c23849bd7a05afd02444c3b33e3af591cfdc9 – Trojan.Grager
ab6a684146cec59ec3a906d9e018b318fb6452586e8ec8b4e37160bcb4adc985 – Trojan.Grager
97551bd3ff8357831dc2b6d9e152c8968d9ce1cd0090b9683c38ea52c2457824 – Trojan.Grager
f69fb19604362c5e945d8671ce1f63bb1b819256f51568daff6fed6b5cc2f274 – Trojan.Ondritols
582b21409ee32ffca853064598c5f72309247ad58640e96287bb806af3e7bede – Trojan.Ondritols
79e56dc69ca59b99f7ebf90a863f5351570e3709ead07fe250f31349d43391e6 – Trojan.Ondritols
4057534799993a63f41502ec98181db0898d1d82df0d7902424a1899f8f7f9d2 – Trojan.Ondritols
a76507b51d84708c02ca2bd5a5775c47096bc740c9f7989afd6f34825edfcba6 – Trojan.Moontag
527fada7052b955ffa91df3b376cc58d387b39f2f44ebdcb54bc134e112a1c14 – Trojan.Moontag
fd9fc13dbd39f920c52fbc917d6c9ce0a28e0d049812189f1bb887486caedbeb – Trojan.Moontag
30093c2502fed7b2b74597d06b91f57772f2ae50ac420bcaa627038af33a6982 – Whipweave
hxxp://7-zip.tw/a/7z2301-x64[.]msi – Trojan.Grager download URL
hxxp://7-zip.tw/a/7z2301[.]msi – Trojan.Grager download URL
7-zip[.]tw – 7-Zip typosquatted domain
103.255.178[.]200 – MoonTag C&C
157.245.159[.]135 – Whipweave C&C
89.42.178[.]13 – Whipweave C&C
30sof.onedumb[.]com – Whipweave C&C
TTPs
Symantec researchers provided the following TTPs:
Establish Accounts: Cloud Accounts
ID: T1585.003
Sub-technique of: T1585 – Establish Accounts
Tactic: Resource Development
Description: Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools.
Stage Capabilities: Upload Malware
ID: T1608.001
Sub-technique of: T1608 – Stage Capabilities
Tactic: Resource Development
Description: Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content.
Stage Capabilities: Upload Tool
ID: T1608.002
Sub-technique of: T1608 – Stage Capabilities
Tactic: Resource Development
Description: Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer (i.e. PowerShell, Certutil) by placing it on an Internet-accessible web server.
Command and Scripting Interpreter: Cloud API
ID: T1059.009
Sub-technique of: T1059 – Command and Scripting Interpreter
Tactic: Execution
Description: Adversaries may abuse cloud APIs to execute malicious commands.
Exfiltration Over Web Service: Exfiltration to Cloud Storage
ID: T1567.002
Sub-technique of: T1567 – Exfiltration Over Web Service
Tactic: Exfiltration
Description: Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the internet.
